Facebook and privacy just don’t seem to be the best of friends, and today the social network had to remove a whole API in order to stop personal data being accessible by third parties.
The API in question was flagged by Symantec as a possible security hole that could have given 3rd parties to private data via an app using certain parts of legacy code inadvertently sharing access tokens.
Today though, Facebook said on its developer blog that the offending API has now been removed, though the company has not found any evidence of data being leaked.
As part of these efforts to make our Platform more secure, we have been working to transition apps from the old Facebook authentication system and HTTP to OAuth 2.0 (an open standard co-authored with Yahoo, Twitter, Google, and others) and HTTPS. Because of the number of apps using our legacy auth system, we need to be thoughtful about this transition. Over the past few weeks, we determined that OAuth is now a mature standard with broad participation across the industry. In addition, we have been working with Symantec to identity issues in our authentication flow to ensure that they are more secure. This has led us to conclude that migrating to OAuth & HTTPs now is in the best interest of our users and developers.
While Facebook assures us that there was no data leaked, we still highly recommend changing your Facebook password, just to be on the safe side.